b"Office of Audits and Evaluations\nReport No. EVAL-14-001\n\n\nThe FDIC\xe2\x80\x99s Information Technology\nProject Management Process\n\n\n\n\n                                    July 2014\n\x0c                                       Executive Summary\n                                       The FDIC\xe2\x80\x99s Information Technology Project\n                                       Management Process\n\n                                                                                       Report No. EVAL-14-001\n                                                                                                     July 2014\n\nWhy We Did The Evaluation\nIT projects involve all FDIC divisions and offices and are critical to the FDIC\xe2\x80\x99s operations and successful\naccomplishment of the Corporation\xe2\x80\x99s mission, goals, and objectives. In addition, the FDIC invests\nsignificant funding and internal resources in such projects. For example, as of December 31, 2013, the\nFDIC's incurred costs for projects completed or in process during 2012 and 2013 were approximately\n$111.7 million.\n\nOur objective was to (1) assess the extent to which the FDIC\xe2\x80\x99s IT projects are meeting their cost,\nschedule, and requirements expectations; (2) identify factors that promote project success or prevent\nprojects from meeting expectations; and (3) identify opportunities for strengthening the FDIC\xe2\x80\x99s controls\nfor monitoring IT projects. To address the first part of our objective, we obtained reports on IT projects\ncompleted or in-process during 2013. For the second and third parts of our objective, we selected six IT\nprojects in process or completed during 2012 for in-depth review. In selecting the projects, we included\nthose governed by the FDIC\xe2\x80\x99s Capital Investment Review Committee (CIRC) and Chief Information\nOfficer\xe2\x80\x99s (CIO) Council and from a cross-section of FDIC divisions and offices. We also took into\nconsideration factors such as the project management method employed, estimated cost, the contractor\nengaged to work on the project, and the extent to which there were any known problems or positive\nattributes. For each project, we reviewed project-related documentation and interviewed FDIC and\ncontractor personnel involved with the projects, in the context of relevant industry practices and FDIC\npolicies and procedures.\n\n\nBackground\nThe Office of Management and Budget (OMB) has reported that IT advancements have been at the center\nof a transformation in how the private sector operates\xe2\x80\x94and have revolutionized the efficiency,\nconvenience, and effectiveness with which the private sector serves its customers. However, according to\nOMB, the federal government largely has missed out on that transformation due to poor management of\ntechnology investments, with IT projects too often costing hundreds of millions of dollars more than they\nshould, taking years longer than necessary to deploy, and delivering technologies that are obsolete by the\ntime they are completed. Similarly, the U.S. Chief Information Officer has noted that too often, federal\nIT projects run over budget, fall behind schedule, or fail to deliver promised functionality. Many projects\nuse \xe2\x80\x9cgrand design\xe2\x80\x9d approaches that aim to deliver functionality every few years, rather than breaking\nprojects into more manageable chunks and demanding new functionality every few quarters.\n\nThe FDIC\xe2\x80\x99s CIO plays a key role in both IT governance and IT project management at the FDIC.\nSpecifically, the CIO is responsible for ensuring that all capital investment projects are consistent with the\ninformation technology strategies and objectives of the Corporation, including those related to\narchitectural alignment, security, and resource optimization. The CIO also ensures that proposed systems\ndevelopment projects are adequately planned, estimated, resourced, and monitored throughout the\ndevelopment life cycle.\n\nThe FDIC\xe2\x80\x99s Board of Directors approves funding for capital investments, including IT projects, involving\nestimated costs of $3 million or more and receives updates on those projects and the performance of the\nportfolio as whole on a quarterly basis. The FDIC\xe2\x80\x99s IT projects are governed by three entities\xe2\x80\x94the\n\n\n                                                        i\n                                  To view the full report, go to www.fdicig.gov\n\x0c                                     The FDIC\xe2\x80\x99s Information Technology Project\n  Executive Summary\n                                     Management Process\n                                                                                    Report No. EVAL-14-001\n                                                                                                  July 2014\n\nCIRC, the CIO Council, or the Corporate Management Council (CM)\xe2\x80\x94depending on the cost and nature\nof the project.\n\nIT project management is considered to be the day-to-day discipline of organizing and managing\nresources (e.g., people and budget) so a project delivers intended requirements within defined scope,\nquality, time, and cost constraints. Implementing the process is a shared responsibility among DIT, the\nFDIC division or office sponsoring an IT project (client), and the IT contractor responsible for developing\nthe application.\n\nThe FDIC uses the Rational Unified Process\xc2\xae (RUP) as its system development life cycle methodology\n(SDLC) for managing IT projects. The RUP framework may be tailored to meet the specific needs of\nprojects based on their risk (size, scope, and complexity). The RUP framework promotes iterative\ndevelopment, which is a flexible, risk-focused approach to software development divided into four phases\nand eleven disciplines. Although the RUP framework has always included aspects of the Agile\nmethodology, DIT began promoting and applying the Agile methodology for FDIC IT projects in 2012.\nAgile software development supports the practice of shorter software delivery. Specifically, Agile calls\nfor the delivery of software in small, short increments rather than in the typically long, sequential phases\nof a traditional SDLC waterfall approach.\n\nDIT management conducts milestone reviews at the completion of each RUP phase. Milestone reviews\nmark a point at which management and technical expectations should be resynchronized. These reviews\nshould ensure projects have met the goal of each RUP phase and form the basis for determining whether\nthe FDIC should move to the next phase of the IT project. If a project experiences significant challenges\nand is underperforming, the CIO Council may request a TechStat review. A TechStat review is an\nevidence-based review of an IT investment based on a model developed by OMB, with a focus on\nproblem solving that will lead to corrective action to improve overall performance.\n\n\nEvaluation Results\nMost CIRC and CIO Council projects completed or in process during 2013 met planned schedules, were\nwithin 10 percent of annual budgeted expenses, and met user expectations. Still, perceptions and\nanecdotes persist that FDIC IT projects are sometimes too costly, experience delays, or do not deliver\npromised specifications. During our evaluation, the CIO Council used an annual budget process to\nmonitor IT project costs. We concluded that the CIO Council could enhance its cost monitoring by\nevaluating total project costs against initial project budgets. Doing so would more readily show to what\nextent individual projects, and the portfolio as a whole, meet life-cycle cost expectations. The FDIC\xe2\x80\x99s\nProject Management Office was developing metrics for tracking projects against initial project budgets at\nthe time we were completing our fieldwork. Further, the Acting CIO indicated that he will continue to\nhave dialogues with those having key roles in IT governance and project management regarding metrics\nbeing used to determine project success. Based on these ongoing efforts, we determined that a\nrecommendation associated with these matters was not warranted.\n\nWith respect to the six projects we selected for in-depth review, four of the six have been completed.\nThree of the completed projects met both schedule and cost expectations, while the other project missed\nthe original estimated completion date by 1 year, and actual cost far exceeded the original budget. The\ntwo projects that are in process are both behind schedule and could, as a result, experience cost overruns.\n\n                                                     ii\n\x0c                                     The FDIC\xe2\x80\x99s Information Technology Project\n  Executive Summary\n                                     Management Process\n                                                                                     Report No. EVAL-14-001\n                                                                                                   July 2014\n\nAs a result of our interviews and analysis of these projects, we identified the following aspects of the IT\nproject management process that were key factors in project success or contributed to challenges,\ndepending on whether and how well they were carried out:\n\n    \xef\x82\xb7   Thoroughly planning and scoping the IT project.\n    \xef\x82\xb7   Ensuring developers understand the FDIC\xe2\x80\x99s environment.\n    \xef\x82\xb7   Managing IT project collaboration and communication.\n    \xef\x82\xb7   Implementing an effective milestone review process.\n    \xef\x82\xb7   Preparing a dedicated testing team.\n    \xef\x82\xb7   Assigning independent risk managers.\n\nEnsuring that these factors are emphasized and the related controls are in place and working during\nongoing and future IT projects could provide greater assurance that the projects meet cost, schedule and\nrequirements expectations.\n\n\nRecommendation and Corporation Comments\nThe report contains one recommendation for the Acting CIO to: (1) advise client division and offices, IT\nproject teams, DIT intersecting organizations, and appropriate governance bodies of the key factors in\nproject success or challenges and related controls we identified in this report and (2) determine whether\nguidance in any of these areas needs to be strengthened.\n\nThe Acting CIO provided a written response, dated June 25, 2014, to a draft of this report. In the\nresponse, the Acting CIO concurred with the report\xe2\x80\x99s recommendation and described completed and\nplanned corrective actions, which are responsive to the recommendation.\n\n\n\n\n                                                     iii\n\x0c                                    Contents\n\n                                                                    Page\nBackground                                                            2\n      IT Project Management Process, Roles, and Responsibilities      2\n      System Development Life Cycle Methodology                       4\n\nEvaluation Results                                                    7\n\n   Extent to Which the FDIC\xe2\x80\x99s IT Projects Are Meeting Their Cost,\n   Schedule, and Requirement Expectations                             8\n      Conclusion                                                     11\n\n   Factors that Promote IT Project Success or Prevent Projects\n   from Meeting Expectations                                         11\n      Thoroughly Planning and Scoping the IT Project                 12\n      Ensuring Developers Understand the FDIC\xe2\x80\x99s IT Environment       14\n      Managing Collaboration and Communication                       14\n      Implementing an Effective Milestone Review Process             16\n      Having a Well-Informed and Dedicated Testing Team              18\n      Assigning an Independent Risk Manager to Projects              20\n      Conclusion and Recommendation                                  21\n\nCorporation Comments and OIG Evaluation                              22\n\nAppendices\n  1. Objective, Scope, and Methodology                               23\n  2. Glossary                                                        26\n  3. Acronyms and Abbreviations                                      27\n  4. Summaries of IT Projects Included in the Evaluation             28\n  5. Corporation Comments                                            33\n  6. Summary of the Corporation\xe2\x80\x99s Corrective Actions                 35\n\nTables\n   1. Key IT Governance Bodies                                        3\n   2. Key IT Project Management Parties                               4\n   3. Summary of Sampled IT Projects                                  8\n   4. Overall BOI Rating Definitions                                 10\n   5. Summary of Projects Sampled                                    24\n\nFigures\n   1. RUP System Development Life Cycle Process and Phases            5\n   2. Milestone Meeting Rules of Engagement                          17\n   3. Summary of FDIC Policies and Procedures and IT Governance\n      Documents                                                      23\n\x0cFederal Deposit Insurance Corporation                                                       Office of Audits and Evaluations\n3501 Fairfax Drive, Arlington, VA 22226                                                          Office of Inspector General\n\n\nDATE:                                     July 14, 2014\n\nMEMORANDUM TO:                            Martin D. Henning\n                                          Acting Chief Information Officer\n\n\n                                          /Signed/\nFROM:                                     Stephen M. Beard\n                                          Deputy Inspector General for Audits and Evaluations\n\nSUBJECT:                                  The FDIC\xe2\x80\x99s Information Technology Project Management Process\n                                          (Report No. EVAL-14-001)\n\nThis report presents the results of our evaluation of the FDIC\xe2\x80\x99s information technology (IT)\nproject management process. The report contains one recommendation intended to strengthen\ncontrols in areas we determined were key to project success or challenges.\n\nIT projects involve all FDIC divisions and offices and are critical to the FDIC\xe2\x80\x99s operations and\nsuccessful accomplishment of the Corporation\xe2\x80\x99s mission, goals, and objectives. In addition, the\nFDIC invests significant funding and internal resources in such projects. For example, as of\nDecember 31, 2013, FDIC's incurred costs for projects completed or in process during 2012 and\n2013 were approximately $111.7 million.\n\nOur objective was to (1) assess the extent to which the FDIC\xe2\x80\x99s IT projects are meeting their cost,\nschedule, and requirement expectations; (2) identify factors that promote project success or\nprevent projects from meeting expectations; and (3) identify opportunities for strengthening the\nFDIC\xe2\x80\x99s controls for monitoring IT projects. To address the first part of our objective, we\nobtained reports on IT projects completed or in-process during 2013. For the second and third\nparts of our objective, we selected six IT projects in process or completed during 2012,\ninterviewed FDIC and contractor personnel involved with the projects, and reviewed project-\nrelated documentation, in the context of relevant industry practices and FDIC policies and\nprocedures.\n\nWe conducted this evaluation in accordance with the Council of the Inspectors General on\nIntegrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection and Evaluation. Appendix 1 of this\nreport includes additional details on our objective, scope, and methodology. Appendix 2\ncontains a glossary of key terms,1 and Appendix 3 contains a list of acronyms and abbreviations.\n\nAppendixes 4, 5, and 6 include summaries of IT projects we reviewed during our evaluation, the\nCorporation\xe2\x80\x99s comments on a draft of this report, and a summary of the corrective actions being\ntaken to address the report\xe2\x80\x99s one recommendation, respectively.\n\n\n\n1\n    Terms that are underlined when first used in this report are defined in Appendix 2, Glossary.\n\x0cBackground\nThe Office of Management and Budget (OMB) has reported that IT advancements have been at\nthe center of a transformation in how the private sector operates\xe2\x80\x94and have revolutionized the\nefficiency, convenience, and effectiveness with which the private sector serves its customers.\nHowever, according to OMB, the federal government largely has missed out on that\ntransformation due to poor management of technology investments, with IT projects too often\ncosting hundreds of millions of dollars more than they should, taking years longer than necessary\nto deploy, and delivering technologies that are obsolete by the time they are completed.\nSimilarly, the U.S. Chief Information Officer has noted that too often, federal IT projects run\nover budget, fall behind schedule, or fail to deliver promised functionality. Many projects use\n\xe2\x80\x9cgrand design\xe2\x80\x9d approaches that aim to deliver functionality every few years, rather than breaking\nprojects into more manageable chunks and demanding new functionality every few quarters.2\n\n\nIT Project Management Process, Roles, and Responsibilities\nThe FDIC\xe2\x80\x99s Chief Information Officer (CIO) plays a key role in both IT governance and IT\nproject management at the FDIC. Specifically, the CIO is responsible for ensuring that all\ncapital investment projects are consistent with the information technology strategies and\nobjectives of the Corporation, including those related to architectural alignment, security, and\nresource optimization. The CIO also ensures that proposed systems development projects are\nadequately planned, estimated, resourced, and monitored throughout the development life cycle.\n\nFor purposes of better understanding the scope and results of our review, it is important that we\ndistinguish between IT governance and IT project management as it relates to other entities,\noffices, and individuals that have functional roles in those areas. The FDIC defines IT\ngovernance as:\n\n        An integral part of enterprise governance which consists of the leadership,\n        organizational structures, and processes that ensure that IT sustains and extends\n        the FDIC's strategies and objectives. The overall objective of IT governance is to\n        understand the issues and the strategic importance of IT. IT governance aims at\n        ensuring that expectations for IT are met and IT risks are mitigated.\n\nTable 1 below summarizes the entities that play key roles in IT governance as it relates to the\napproval and monitoring of the Corporation\xe2\x80\x99s IT projects.\n\n\n\n\n2\n Effective planning and management of IT and non-IT capital investments are mandated by Congress and by OMB\nfor most federal agencies. Although many of these laws and directives are not legally binding on the FDIC, the\nFDIC recognizes that they constitute best practices and should be adopted in whole or in part.\n\n                                                      2\n\x0cTable 1: Key IT Governance Bodies\n        Governance Body                                               Responsibilities\nBoard of Directorsa                      Approves funding requests for new and existing capital investment\n                                         projects involving estimated costs of $3 million or more. Receives\n                                         quarterly updates for individual projects as well as an assessment of the\n                                         performance of the portfolio as a whole.\nCapital Investment Review                Approves projects estimated to cost more than $3 million. The purpose of\nCommittee (CIRC)b                        the Committee is to implement a systematic management review process\n                                         that supports budgeting for the FDIC\xe2\x80\x99s capital investments and ensures the\n                                         regular monitoring and proper management of these investments, once\n                                         funded.\nCIO Councilc                             Advises the CIO on all aspects of adoption and use of IT at the FDIC. The\n                                         Council prioritizes and selects IT projects for funding and reviews the\n                                         progress of these projects on a monthly basis.\nCorporate Management Council (CM)        Governs projects that focus on improvements and enhancements to\n                                         Division of Information Technology (DIT) products.\nProject Initiation Review (PIR)          Reviews all FDIC IT projects to ensure DIT management support and\nCommittee                                compatibility with the FDIC\xe2\x80\x99s IT infrastructure, and avoid duplication or\n                                         additional costs. Ensures that the appropriate budgetary resources,\n                                         infrastructure standards, security standards, and enterprise architecture\n                                         planning are in place to support new project initiatives.\nProgram Management Office (PMO)          A resource center for clients, executives, project managers, and project\n                                         team members engaged in the operations and oversight of IT projects. The\n                                         PMO's mission is to continuously improve the practice and results of IT\n                                         program and project management.\nSource: FDIC DIT Web site.\nNotes:\na\n  The Board of Directors consists of the FDIC Chairman; FDIC Vice Chairman; FDIC Director; Comptroller of the\nCurrency; and Director, Consumer Financial Protection Bureau.\nb\n  The CIRC is chaired by the Chief Financial Officer (CFO) and CIO, and its members include the Chief Risk Officer,\ndivision directors, and the Director, Office of Complex Financial Institutions.\nc\n  The CIO Council is chaired by the CIO and includes executive representatives of the FDIC\xe2\x80\x99s divisions and offices.\n\nIT project management, on the other hand, is considered to be:\n\n        The discipline of organizing and managing resources (e.g., people and budget) so\n        a project delivers intended requirements within defined scope, quality, time, and\n        cost constraints.\n\nImplementing the IT project management process is a shared responsibility among DIT, the\nFDIC division or office sponsoring an IT project (client), and the IT contractor responsible for\ndeveloping the application.3 Table 2 below identifies and describes the key parties involved in\nthat process.\n\n\n\n\n3\n The FDIC awarded an Information Technology Application Services Basic Ordering Agreement in May 2013 to\n11 contractors to develop IT projects and perform other IT-related services for FDIC divisions and offices.\n\n                                                         3\n\x0cTable 2: Key IT Project Management Parties\n             Key Party                                               Responsibilities\nClient Program Manager                 Leads the requirements package development for the IT project and for the\n                                       final approval of all process and software development documents,\n                                       including the establishment and maintenance of roles and responsibilities.\nClient Project Manager                 Leads the planning of the project, coordinates interactions with the other\n                                       parties involved in the project, and keeps the project team focused on\n                                       meeting the project objectives.\nDIT Project Manager                    Serves as the Technical Monitor for the software contractor and is\n                                       responsible for ensuring the contractor\xe2\x80\x99s performance on the contract in\n                                       developing the software. Also ensures that the contractor is coordinating\n                                       with other DIT areas such as configuration management, enterprise\n                                       architecture, infrastructure services, and quality assurance, which are\n                                       known as intersecting organizations (IOs).\nContractor\xe2\x80\x99s Project Manager           Ensures the product is delivered by the contractor in compliance with the\n                                       contract requirements and schedule.\nProject Testing Team                   Responsible for the core activities of the test effort. Those activities\n                                       include identifying, defining, implementing, and conducting the necessary\n                                       testing processes as well as logging the outcomes of the testing and\n                                       analyzing the results.\nIndependent Risk Manager               The Division of Finance\xe2\x80\x99s (DOF) Corporate Management Control Branch\n                                       (CMCB) provides an Independent Risk Manager for CIRC and other major\n                                       CIO Council IT projects. This individual maintains the risk list and\n                                       provides risk management support to the project.\nSource: OIG review of StarTeam documentation for six IT Projects and the FDIC\xe2\x80\x99s RUP Web site.\n\n\n\nSystem Development Life Cycle Methodology\nThe FDIC uses the Rational Unified Process\xc2\xae (RUP) as               Agile software development supports the\nits system development life cycle methodology (SDLC)               practice of shorter software delivery.\nfor managing IT projects. The RUP framework may be                 Specifically, Agile calls for the delivery of\n                                                                   software in small, short increments rather than\ntailored to meet the specific needs of projects based on           in the typically long, sequential phases of a\ntheir risk (size, scope, and complexity). Although the             traditional SDLC waterfall approach. Agile\nRUP framework has always included aspects of the                   emphasizes early and continuous software\n                                                                   delivery, the use of collaborative teams, and\nAgile methodology, DIT began promoting and applying                measuring progress with working software.\nthe Agile methodology for FDIC IT projects in 2012.                For Agile to be practical, each feature must be\n                                                                   fully developed, tested, styled, and accepted\n                                                                   by the user before counting it as completed\nThe RUP framework promotes iterative development,                  and moving on to the next feature. An\nwhich is a flexible, risk-focused approach to software             important aspect of the Agile methodology is\ndevelopment divided into four phases and eleven                    that the client users are involved in project\n                                                                   development and that their feedback from\ndisciplines as shown in Figure 1.                                  testing is critical.\n\n\n\n\n                                                      4\n\x0cFigure 1: RUP System Development Life Cycle Process and Phases\n\n\n\n\nSource: FDIC RUP Web site.\n\nA more detailed discussion of each RUP phase follows.\n\n\nInception Phase\n\nThe primary goal of the Inception phase is to develop an understanding of the client\xe2\x80\x99s\nrequirements and the purpose of the IT project.\n\nThe client, contractor, and DIT project manager scope the project and document the functional\nrequirements that address the client\xe2\x80\x99s business needs, such as the type of reporting needed, and\nnon-functional requirements, such as the number of anticipated users, required operating speeds,\nand data capacity.\n\nThe PIR Committee meets at the beginning and throughout the Inception phase with the project\nmanagers to review start-up of the initiatives, help establish priorities, resolve potential conflicts,\nand plan key activities to successfully initiate the project.\n\nDuring the Inception phase, the IT project team considers alternative solutions for achieving the\nclient\xe2\x80\x99s needs. Solutions may include purchasing an existing system from a vendor, customizing\nan existing product, or developing new software from scratch. It is critical for all aspects of the\nproject to be explored, including recognizing interfaces with other systems, identifying key risks,\ndetermining acceptance criteria, and capturing the most important reporting requirements, among\nother things.\n                                                   5\n\x0cThe scope, risks, potential solutions, costs, schedules, resources required, and acceptance criteria\nshould be understood by the parties responsible for developing the project at the completion of\nthe Inception phase. However, further knowledge gained in the Elaboration phase may clarify\nthese aspects of the project and require adjustments.\n\nElaboration Phase\n\nThe primary goal of the Elaboration phase is to prove that the solution selected will successfully\nmeet the requirements.\n\nThe contractor further evaluates the project's architecture and determines the required resources.\nThe contractor and the client consider possible applications of the software and costs associated\nwith a project. The contractor also tests critical aspects of the software solution and builds a\nprototype of the software to validate that the proposed solution will support the IT project\nrequirements at a reasonable cost and in a reasonable timeframe. At the end of the Elaboration\nphase, the product vision and requirements, and architecture should be stable; the key approaches\nto be used in test and evaluation are proven; major risk elements have been addressed and\ncredibly resolved; iteration plans for the Construction phase are of sufficient detail and quality to\nallow the work to proceed; and actual resource expenditure versus planned expenditure is\nacceptable. The project may be aborted or considerably re-thought if it fails to reach this\nmilestone.\n\nConstruction Phase\n\nThe primary goal of the Construction phase is to ensure that the IT software is useable and\nincludes all necessary functionality.\n\nThe contractor develops and completes the project. The contractor and DIT project manager\nshould confirm that the client business units are ready to accept the new software. At this time,\nthe contractor and client should complete the analysis, design and development, and testing of all\nrequired functionality.\n\nTransition Phase\n\nThe primary goal of the Transition phase is to ensure that software is available for its users.\n\nThe Transition phase can span several iterations and includes testing the product in preparation\nfor release and making minor adjustments based on user feedback. At this point in the lifecycle,\nuser feedback should focus mainly on fine-tuning the product, configuration, installation, and\nuser-related issues. By the end of the Transition phase, lifecycle objectives should have been\nmet, the contractor and DIT execute deployment plans, and the project should be ready to be\nclosed out.\n\n\n\n\n                                                 6\n\x0cProject Reviews\n\nDIT management conducts milestone reviews at the completion of each RUP phase. Milestone\nreviews mark a point at which management and technical expectations should be resynchronized.\nThese reviews should ensure projects have met the goal of each RUP phase and form the basis\nfor determining whether the FDIC should move to the next phase of the IT project. If a project\nexperiences significant challenges and is underperforming, the CIO Council may request a\nTechStat review. A TechStat review is an evidence-based review of an IT investment based on a\nmodel developed by the OMB, with a focus on problem solving that will lead to corrective action\nto improve overall performance. However, in some cases, a TechStat may reveal that the best\ncourse of action for an investment is that it temporarily be halted or even terminated. In\naddition, the CIRC meets quarterly and the CIO Council meets monthly to monitor their\nrespective IT project portfolios. During these meetings, client and DIT project managers make\npresentations related to project status and request scheduling and budget adjustments, as needed.\n\n\nEvaluation Results\nMost CIRC and CIO Council projects completed or in process during 2013 met planned\nschedules, were within 10 percent of annual budgeted expenses, and met user expectations. Still,\nperceptions and anecdotes persist that FDIC IT projects are sometimes too costly, experience\ndelays, or do not deliver promised specifications. During our evaluation, the CIO Council used\nan annual budget process to monitor IT project costs. We concluded that the CIO Council could\nenhance its cost monitoring by evaluating total project costs against initial project\nbudgets. Doing so would more readily show to what extent individual projects, and the portfolio\nas a whole, meet life cycle cost expectations. The PMO was developing metrics for tracking\nprojects against initial project budgets at the time we were completing our fieldwork. Further,\nthe Acting CIO indicated that he will continue to have dialogues with those having key roles in\nIT governance and project management regarding metrics being used to determine project\nsuccess. Based on these ongoing efforts, we determined that a recommendation associated with\nthese matters was not warranted.\n\nWith respect to the six projects we selected for in-depth review, four of the six have been\ncompleted. Three of the completed projects met both schedule and cost expectations, while the\nother project missed the original estimated completion date by 1 year, and actual cost far\nexceeded the original budget. The two projects that are in process are both behind schedule and\ncould, as a result, experience cost overruns. As a result of our interviews and analysis of these\nprojects, we identified the following aspects of the IT project management process that were key\nfactors in project success or contributed to challenges, depending on whether and how well they\nwere carried out:\n\n   \xef\x82\xb7   Thoroughly planning and scoping the IT project.\n   \xef\x82\xb7   Ensuring developers understand the FDIC\xe2\x80\x99s environment.\n   \xef\x82\xb7   Managing IT project collaboration and communication.\n\n\n\n                                                7\n\x0c   \xef\x82\xb7   Implementing an effective milestone review process.\n   \xef\x82\xb7   Preparing a dedicated testing team.\n   \xef\x82\xb7   Assigning independent risk managers.\n\nEnsuring that these factors are emphasized and the related controls are in place and working\nduring ongoing and future IT projects could provide greater assurance that the projects meet cost,\nschedule and requirements expectations. To that end, we are recommending that the Acting\nCIO (1) advise client division and offices, IT project teams, DIT intersecting organizations, and\nappropriate governance bodies of the key factors in project success or challenges and related\ncontrols we identified in this report and (2) determine whether guidance in any of these areas\nneeds to be strengthened.\n\n\nExtent to Which FDIC IT Projects Are Meeting Their\nSchedule, Cost, and Requirement Expectations\nMost CIRC and CIO Council projects completed or in process during 2013 met planned\nschedules, were within 10 percent of annual budgeted expenses, and met user expectations.\nResults were mixed as it relates to meeting schedule and cost expectations for the projects we\nselected for detailed review, while user satisfaction was consistently favorable. With respect to\nprojects meeting cost expectations, we discuss in this section how the FDIC\xe2\x80\x99s contracting and\nbudgeting approaches influenced that metric.\n\nMeeting Schedule and Cost Expectations. Of the FDIC\xe2\x80\x99s 34 projects active or completed\nduring 2013, 27 were within 10 percent of their project milestones and 31 projects were within\n10 percent of their annual 2013 budget.\n\nWe selected six projects for review from FDIC\xe2\x80\x99s inventory of IT projects completed or in-\nprocess as of December 31, 2012. As shown in Table 3, three of the completed projects met both\nschedule and cost expectations, while the other project missed the original estimated completion\ndate by 1 year, and actual cost far exceeded the original budget. The two projects that are in\nprocess are both behind schedule and could, as a result, experience cost overruns. However,\nsuch overruns are largely mitigated because the FDIC uses firm fixed-price contracts for the\nConstruction and Transition phases. As such, the FDIC is generally not obligated to compensate\nthe contractor for costs above the contract ceiling price. Further, as discussed later, the FDIC\nhad historically budgeted and measured the cost of projects on an annual basis, which made it\ndifficult to measure the total actual cost of an ongoing project against its original estimated cost.\n\nTable 3: Summary of Sampled IT Projects\n                                 Within\n   Name of          Within\n                                Contract                     Project Status/Key Points\n   Project        Schedule?\n                                Budget?\nAdvanced Legal        No          No        Project Completed. ALIS was originally planned to be\nInformation                                 completed by first quarter 2012 at a cost of approximately $1.7\nSystem (ALIS)                               million. The CIO Council ordered a TechStat assessment in July\n                                            2012 as the project was significantly behind schedule and\n                                            over-budget. The TechStat resulted in recommended corrective\n\n                                                  8\n\x0c                                       Within\n    Name of            Within\n                                      Contract                       Project Status/Key Points\n    Project          Schedule?\n                                      Budget?\n                                                    actions for improving management of the project. ALIS was\n                                                    completed in August 2013 at a total cost of $4.7 million.\nAssessment               Yes             Yes        Project Completed. Changes mandated by the Dodd-Frank Wall\nInformation                                         Street Reform and Consumer Protection Act directly impacted\nManagement                                          the FDIC Assessment Program and required modifications to the\nSystem (AIMS)                                       AIMS system to address technology obsolescence risks and to\n                                                    revise the AIMS\xe2\x80\x99 method for calculating assessments. A key to\n                                                    AIMS\xe2\x80\x99 success was that there was 100 percent staff involvement\n                                                    from DOF\xe2\x80\x99s Assessments Branch.\nClaims                                              Project Completed. CAS had strong senior management support.\nAdministration           Yes             Yes        A key to the project\xe2\x80\x99s success was that the project scope was\nSystem (CAS)                                        identified early and remained constant throughout the project.\nExamination               No           Yes, but     Construction Phase in Process. During our evaluation, ETS-\nTools Suite-                          will likely   SAGE was progressing well and parties we interviewed reported\nSupervisory                            exceed       favorably on the use of the Agile development approach.\nApplication                            budget.      However, significant challenges developed during the second\nGenerating                                          half of 2013 when the project team discovered that, although the\nExams (ETS-                                         IT solution worked in the test environment, it would not work in\nSAGE)                                               remote locations where it is most needed. As a result, the project\n                                                    has experienced several delays and will require a contract\n                                                    extension to be completed.\nIdentity Access          Yes             Yes        Project Completed. IAMS experienced a number of challenges\nManagement                                          early in the development and the contractor appeared to have\nSystem (IAMS)                                       misunderstood the complexity of the project. The contractor\xe2\x80\x99s\n                                                    project manager and other key team members were replaced and\n                                                    the project\xe2\x80\x99s development significantly improved.\nProforma                  No             Yes        Construction Phase in Process. The project has been\nModernization                                       significantly challenged with application, hardware, connectivity,\n(PROFORMA)                                          and network performance issues. The FDIC\xe2\x80\x99s current\n                                                    infrastructure does not support the IT solution developed by the\n                                                    contractor. The CIO Council approved a 5-month extension of\n                                                    the project completion date in January 2014.\nSource: OIG interviews and review of IT project files.\n\nMeeting Requirements Expectations. To gain perspective on the extent to which FDIC IT\nprojects are meeting requirements expectations, we asked FDIC users that participated in testing\nof the IT projects in our sample whether they considered the IT project to be performing as\nexpected. The perceived success of an IT project may change over time; however, the responses\nwe received indicated consistent satisfaction with the performance of these projects. Even on\ncompleted projects that overcame significant challenges and delays, the users felt that the end\nproduct met or exceeded their expectations.\n\nIn addition, to validate the extent a project has realized its objectives, business values, and\noutcomes, DIT\xe2\x80\x99s PMO conducts a business outcome and lessons learned evaluation on\ncompleted CIO Council and CM projects.4 These post-project surveys indicated that the FDIC\xe2\x80\x99s\nIT project management process is ultimately delivering software development products that meet\n\n4\n The objectives, business values, and outcomes are established at the outset of a project in the Business Proposal\nOutline or Project Proposal Outline by the client organization with the assistance of a DIT business analyst.\n\n                                                          9\n\x0cusers\xe2\x80\x99 expectations, even when IT project development is not completed within estimated\nmilestones and budgets.\n\nThe PMO assigns Business Outcome Index (BOI) ratings for each IT project based on Business\nValue Realized, Project Objective Attainment, and Quality of Delivery, and the PMO assigns an\nOverall Project Rating. As of December 31, 2013, based on ratings of 68 IT projects, the\naverage BOI was 3.7 based on a 5-point scale indicating that IT projects generally exceeded their\nexpected business value. Table 4 illustrates the overall BOI rating definitions for 2013 projects.\n\nTable 4: Overall BOI Rating Definitions\n            BOI Rating                Initiative Realized Value           Number of Projects\nGreater than 4 and/or equal to 5          High Business Value                    32\nGreater than 3 and/or equal to 4       Exceeded Business Value                   25\nGreater than 2 and/or equal to 3             Realized Value                       9\nGreater than 1 and/or equal to 2          Low Business Value                      2\nSource: FDIC DIT Web site.\n\nMonitoring and Reporting Project Status. We observed that IT project delays and cost\nvariances were monitored and reported timely to the FDIC\xe2\x80\x99s governing IT committees, in\naccordance with CIRC and CIO Council guidelines. DIT provides the governing committees\nwith a variety of IT project management reports, monthly or as needed, and posts monthly status\nreports on the FDIC Intranet. Reports are available on project status, including a monthly\nreporting of the current RUP phase of each project in relation to approved milestones. In\naddition, as discussed earlier, DIT\xe2\x80\x99s BOI process evaluates the success of IT projects in meeting\nusers\xe2\x80\x99 expectations, and CMCB performs post-project reviews of CIRC portfolio projects.\n\nWhen projects included in our evaluation experienced challenges, actions were taken to identify\ncauses and correct IT project management issues. As noted earlier, one of the projects included\nin our evaluation received a TechStat review because of CIO Council concerns regarding\nmilestone and cost variances. The review identified various corrective actions to improve project\nmanagement.\n\nEfforts to Enhance IT Project Management. In August 2012, the CIO Council adopted\nCMCB recommendations to improve the overall governance of projects and sharpen the focus on\nmajor projects. These guidelines included:\n\n    \xef\x82\xb7    Tracking and monitoring total direct costs of projects, including planning and\n         implementation project costs; discontinuing the use of division-level discretionary funds\n         to cover project shortfalls; and allowing the CIO Council to request TechStat reviews at\n         any time.\n\n    \xef\x82\xb7    Using a line-of-sight approach to group projects that were previously broken into annual\n         phases or releases into a single fully-scoped project, and requiring new cost and\n         milestone baselines at the end of each RUP phase for the complete project.\n\n    \xef\x82\xb7    Designating certain CIO Council projects as \xe2\x80\x9cmajor projects\xe2\x80\x9d to receive greater oversight,\n         increasing reporting and briefings to the CIO Council on major projects, and requiring\n\n                                                 10\n\x0c       PMO evaluation of projects with variances to determine if the project should be\n       redesignated as a \xe2\x80\x9cmajor project.\xe2\x80\x9d\n\n   \xef\x82\xb7   Establishing new reporting and metrics to the CIO Council and quarterly reports on\n       system performance and health.\n\nDIT began routinely providing the CIO Council with the total project cost in addition to the\nannual budgeted cost in February 2013. Still, during our evaluation, we determined that the CIO\nCouncil could do more to monitor total project costs against the initial project budget on a\nportfolio basis. Specifically, the CIO Council monitored non-CIRC projects using an annual\nbudget process, which could limit insights into overall cost performance for projects spanning\nmultiple years. While CIO Council members could request that DIT\xe2\x80\x99s PMO prepare an analysis\nshowing a project\xe2\x80\x99s original budget to actual costs incurred-to-date, DIT did not maintain such\ninformation on an ongoing basis. More recently, in April 2014, the PMO revised the CIO\nCouncil Notification Report to include, among other things, total project budget information to\nprovide council members with a financial assessment for the total investment and to allow\nvisibility into future year budget requirements.\n\nConclusion\n\nAt our exit conference, the Acting CIO acknowledged that there remains some concern within\nthe FDIC as to whether IT projects are being implemented efficiently and effectively\xe2\x80\x94despite\ncurrent metrics indicating otherwise\xe2\x80\x94and is continuing to work towards implementing\nmeaningful metrics for project success that are understood and agreed upon by those having key\nroles in executing and monitoring IT project management. Further, efforts to refine and improve\nthe reporting of cost and other aspects of IT project status to the CIO Council and other program\nofficials were well underway as we completed our fieldwork. Accordingly, we concluded that a\nrecommendation was not warranted to address our findings in this area.\n\n\nFactors that Promote Project Success or Prevent Projects\nfrom Meeting Expectations\nWe identified six factors that either promoted IT project success or prevented projects from\nmeeting expectations based on our interviews and analysis of the six projects that we selected for\ndetailed review. These projects involved a variety of FDIC divisions and offices, DIT project\nmanagers, and IT contractors. A summary of the projects, including their purpose and a\ndescription of their respective project management processes, is provided in Appendix 4.\n\n\nThoroughly Planning and Scoping the IT Project\nSelecting the Right Contractor and IT Solution. Adequate planning of the IT project begins\nwith consideration of all available IT solutions during the Inception phase. FDIC RUP\nguidelines note that before scheduling the Inception milestone review, the project team should\n\n                                               11\n\x0chave selected the solution architecture and determined it to be feasible from a business and\ntechnical perspective. Project managers for two projects in our sample stated that the success of\ntheir projects was directly attributable to an effective contracting process during which a variety\nof IT solutions were evaluated. The technical evaluation panel considered each proposal and the\nselection was based on the quality of the contractors\xe2\x80\x99 understanding of the business needs and\nprocesses rather than on cost. On other projects that encountered numerous challenges, we were\ntold that, in hindsight, the selection process of the IT solution and contractor was abbreviated or\nnot fully executed and that the project team should have given greater consideration to an\nalternative solution or contractor. Contractors who had worked on multiple FDIC projects told\nus that the project works best when the business unit knows what it wants and considers a variety\nof contractor solutions.\n\nUnderstanding Project Scope and Complexity. Properly scoping the project and accurately\ncommunicating the project\xe2\x80\x99s complexity is critical to project success. DIT Milestone Review\nGuidelines note that the scope of work should be defined, validated, and agreed upon by the\nbusiness and technical stakeholders during the Inception phase. FDIC RUP guidance documents\nrequire a number of scoping-related documents, including the Vision document, software\ndevelopment plan, and risk lists that should be prepared or in-process at the Inception milestone\nreview decision point. Project managers and other\nofficials whom we interviewed indicated that many Vision Document\n                                                         Defines the stakeholders\xe2\x80\x99 view of the technical\nof the challenges they faced could have been             solution to be developed. It communicates the\navoided if the project had been better understood by fundamental \xe2\x80\x9cwhat and why\xe2\x80\x9d for the project and\nall parties when it was being planned. For example, provides a strategy against which all future project\n                                                         decisions can be validated.\non one project, much of the contractor\xe2\x80\x99s project team\nneeded to be replaced because the complexity of the project was not adequately documented\nwhen it was proposed. That project involved multiple FDIC divisions and offices, and interacted\nwith numerous FDIC systems. After the project began encountering problems, the contractor\nreplaced its project manager and other lead staff, and progress on all aspects of the project\ngreatly improved. Another project was originally cast as an upgrade; however, after the project\nmet significant challenges, a project review determined that it should have been treated as a\nmajor overhaul. FDIC RUP guidance notes that for projects focused on enhancements to an\nexisting system, the Inception phase is briefer than for full system development efforts.\nAccordingly, project teams should ensure that the scope and complexity are fully understood to\npreclude a project from being misclassified and not subject to sufficient planning.\n\nIn those two projects, the contractor and DIT project managers were replaced with more\nexperienced personnel and the projects\xe2\x80\x99 progress significantly improved. FDIC officials we\nspoke to recommended that the client should ensure that the complexity of a given project is\nclearly identified during the planning and scoping of the project, prior to the contractor and DIT\nassigning personnel to a project. Contractors also told us that ensuring that the quality of the\nstaff is compatible with the complexity of the project is critical. The FDIC RUP guidelines for\nconducting the Inception milestone review include reviewing resource availability, expertise, and\nengagement for preparedness in moving to the next RUP phase.\n\nSetting Realistic Milestones. FDIC officials we spoke to for one project we reviewed felt that,\nin hindsight, the challenges they faced resulted from the scope of the project not being\n\n                                                  12\n\x0ceffectively communicated to FDIC senior management. As a result, the milestones established\nfor the project were too aggressive. Unrealistic milestones negatively affected the project\nprimarily in two ways. First, it put unneeded pressure on the project team to meet the deadlines\nand caused the team to reduce communication on the project. Second, because of the unrealistic\ndeadlines, the contractors stated that they were not allowed time during the Inception phase of\nthe project to gain an adequate understanding of the FDIC\xe2\x80\x99s technical environment. FDIC RUP\nguidelines note that one of the objectives of the Inception phase is to develop initial cost and\nschedule estimates, to be followed by more detailed and reliable estimates in the Elaboration\nphase. The guidance also notes that cost and schedule estimates should be credible and\njustifiable.\n\nFocusing on Business Needs Rather Than IT Capabilities. Other comments related to\nplanning centered on the importance of the FDIC client ensuring that the proposed solution\nmeets the FDIC\xe2\x80\x99s business need as opposed to the contractor changing the FDIC\xe2\x80\x99s business\nprocess to meet a contractor\xe2\x80\x99s proposed solution. FDIC project managers suggested that the\nclient should lead the discussion with the contractor to ensure that the contractor fully\nunderstands the business requirements and should not change the business requirements to\nconform to limitations of a proposed solution. On one project that we reviewed, officials we\nspoke to said that, in hindsight, they wish that they had not allowed the contractor to lead the\ndiscussion to such a large extent. Those officials believed that this approach took them away\nfrom pursuing the original project concept to a more involved project that experienced many\nchallenges.\n\nContractors agreed that they should not be leading business requirements discussions, and that\nthey should be responding to the client\xe2\x80\x99s needs. These contractors noted that project\ndevelopment is facilitated when the DIT project manager has a good understanding of the\nclient\xe2\x80\x99s business unit. Contractors also said that DIT should be working to find IT solutions that\nfit the business rather than making the business process fit the IT solution. Contractors further\nexplained that the process works best when the developers are able to meet with as many of the\nusers as possible early on and when the users are heavily involved in the requirements phase.\nContractors emphasized that it is critical for the developers to have a complete understanding of\nusers\xe2\x80\x99 needs before designing the IT solution.\n\nThe FDIC RUP Web site includes key principles for business-driven development and notes the\nneed to balance competing stakeholder priorities between developing an application that does\nexactly what the stakeholder wants, which may be costly and time intensive to develop versus\nleveraging a less-costly, more-timely packaged application that limits user requirements. To be\nin a position to balance needs, the project team must understand and prioritize business and\nstakeholder needs. This means capturing business processes and linking them to projects and\nsoftware capabilities and involving the customer in the project to ensure the project team\nunderstands the users\xe2\x80\x99 needs.\n\n\n\n\n                                                13\n\x0cEnsuring Developers Understand the FDIC\xe2\x80\x99s IT Environment\nUnderstanding Technical and Operational Issues. Ensuring that the development team has a\ncomplete understanding of the technical and operational environment is a key factor during the\nInception phase to promote project success. FDIC RUP guidelines for the Elaboration phase\ninclude confirming that infrastructure impacts, such as bandwidth, storage, etc., have been\nidentified and communicated. Comments from project managers we interviewed centered on the\nimportance of the contractor\xe2\x80\x99s understanding of the FDIC\xe2\x80\x99s technical and operational\nenvironment, including hardware, software, and requirements analysis. On the two projects in\nour sample that were described as proceeding very well by officials whom we interviewed,\nproject managers stated that the contractors\xe2\x80\x99 understanding of the FDIC\xe2\x80\x99s technical and\noperational environment greatly facilitated the project. On three other projects in our sample that\nexperienced unanticipated challenges, FDIC project managers specifically stated that the\ncontractors\xe2\x80\x99 lack of understanding of the FDIC\xe2\x80\x99s environment was a primary reason for the\ndifficulties encountered. On those projects, contractors did not clearly understand security\nrequirements, age of the FDIC\xe2\x80\x99s laptop computers, firewall limitations, data migration\ntechnology, and bandwidth limitations. As a result, unexpected issues arose during system\ndevelopment testing in the Construction phase that caused milestone delays while the project\nteam developed strategies to mitigate the issues.\n\nDeveloping Systems Within the FDIC\xe2\x80\x99s IT Environment. Another common element of these\nthree projects is that, in each case, the contractor developed the software outside of the FDIC\xe2\x80\x99s\nIT environment. Significant deficiencies were identified when the system was tested in the\nFDIC IT environment. On each of these projects, the solutions that the contractors employed\nwould succeed in an ideal working environment. However, because much of the FDIC\xe2\x80\x99s work is\nconducted in remote locations, requires enhanced security, or involves other limitations, the\ndeveloped software was incompatible with the FDIC\xe2\x80\x99s current technology. FDIC project\nmanagers told us that, in hindsight, they would have ensured that the contract required the\ncontractor to develop the IT project within the FDIC\xe2\x80\x99s environment. Other IT projects where\ndevelopment was conducted within the FDIC\xe2\x80\x99s IT environment did not have deficiencies to the\nextent to which those projects developed outside the FDIC did. The RUP Elaboration phase\nmilestone review guidelines suggest understanding whether the development tools contemplated\nfor the project have been used before at the FDIC. However, we did not identify any explicit\nFDIC guidance that IT projects should be developed within the FDIC\xe2\x80\x99s IT environment.\n\n\nManaging Collaboration and Communication\nManaging communication is a critical aspect of IT project management. Obtaining buy-in and\nrepresentation from all participants in the project\xe2\x80\x99s development, marketing the benefits or\nreasons for the project, and managing the expectations of end users all are relevant to ensuring a\nsuccessful project. Much of the feedback we received from both FDIC and contractor personnel\nregarding factors that facilitate IT project management centered on collaboration and\ncommunication among the FDIC project team, contractor, and IOs.\n\n\n\n                                                14\n\x0cHolding Regular Team Meetings. For each of the projects in our sample, we asked project\nmanagers and testing team members what they felt had facilitated their respective IT projects,\nand if the project started over, what they would have done differently. One commonly stated\nfactor was the level of communication among the project team, contractor, and IOs. Specifically,\nholding regular meetings between the contractor and business users throughout the project and\nearly communication between the contractor and IOs were often cited. FDIC and contractor\nrecommendations centered on holding regular program meetings early in the project with FDIC\nIOs, involving users in meetings early in the project and as much as possible, and holding regular\ndiscussions with FDIC officials and contractors involved in the project development. Officials\nwe interviewed said that it is important for the testing team to be fully informed as to the time\nthat will be required of them before they join the project. We were told that it greatly facilitated\nthe project when everyone was consistently available during meetings and users made a\ndedicated commitment to participate in all meetings and discussions. One project manager told\nus that one of the things he would have done differently would be to press for a larger travel\nbudget just to have everyone together in the same room because face-to-face meetings were\nalways the most beneficial.\n\nA key principle discussed on the RUP Web site is collaborating across teams. This principle\nstresses the importance of fostering optimal project-wide communication achieved through\nproper team organization and effective collaborative environments. This principle involves\nmotivating individuals on the team to perform at their best and creating self-managed, cross-\nfunctional teams (e.g., analysts, developers, testers) with the authority to decide on issues\ndirectly influencing their work. Cross-functional collaboration helps to break down the walls\nthat often exist among analysts, developers, and testers. Each team member needs to understand\nand buy in to the mission and vision of the project.\n\nInvolving Intersecting Organizations Early. Contractors told us that coordinating with the\nIOs and ensuring full understanding of the business           Intersecting Organizations\nfunction and relationships between the business unit and\n                                                               \xe2\x80\xa2 Configuration Management\nIT organization is a critical element in IT project            \xe2\x80\xa2 Corporate Management Control\nmanagement. Contractors said that DIT\xe2\x80\x99s work to                \xe2\x80\xa2 Development Support and Monitoring\nfacilitate coordination with the IOs throughout the project        Section\ngreatly improved their ability to keep the project on          \xe2\x80\xa2   Enterprise Architecture\n                                                               \xe2\x80\xa2   Enterprise Information Management\nschedule. In other cases, where projects experienced           \xe2\x80\xa2   Independent Test Section\nchallenges, FDIC project managers told us that the IT          \xe2\x80\xa2   Information Security and Privacy Staff\ncontractor should have reached out to IOs earlier in the       \xe2\x80\xa2   Infrastructure Services Branch\nproject. FDIC guidance related to each of the RUP phases       \xe2\x80\xa2   Peer Estimation Group\n                                                               \xe2\x80\xa2   Program Management Office\ndiscusses the importance of engaging the IOs well in           \xe2\x80\xa2   Quality Assurance\nadvance of milestone reviews in order to understand and        \xe2\x80\xa2   Release Management\nadhere to all IO requirements.\n\nPracticing Agile Coordination. One aspect of the RUP and Agile methodologies is for the\nproject team to ensure that those participating in the project\xe2\x80\x99s development are motivated and\ndedicated to the long-term IT project. Officials we interviewed told us that frequent meetings\nthat apprised them of the project status and upcoming activities helped them to engage and\nunderstand how their involvement fit into the bigger picture. Testers provided positive\n\n                                                15\n\x0ccomments consistently when they understood the testing process and felt they were a key part of\nthe solution. On one project that was behind schedule, the testers we interviewed did not have a\ngood understanding of the testing process and did not seem enthusiastic about the IT project.\n\nProjects that involved heavy user participation also reported fewer challenges that negatively\naffected the projects\xe2\x80\x99 schedule. On two of the projects included in our evaluation, we were told\nthat divisional staff participated extensively in project testing, including writing their own test\nscripts, deciding the test schedule, and following up on results of user acceptance testing. The\ncontractors on these projects specifically stated that the substantial participation of the user\ngroups greatly facilitated the project. Conversely, FDIC project managers told us that when the\nproject met challenges, these were often due to the lack of consistent communication between\nthe contractors and sponsoring division personnel or DIT IOs, or both. Both contractor and\nFDIC personnel stated that early communication with the IOs is especially important under the\nAgile methodology. Collaboration and communication across teams is a key principle of the\nRUP and Agile methodology so when communication is lacking, the effectiveness of the\ndevelopment methodology is likely to be adversely affected.\n\n\nImplementing an Effective Milestone Review Process\nEnsuring Projects Meet All Milestone Review Requirements Before Moving to the Next\nRUP Phase. The RUP framework requires that milestone reviews be conducted prior to the IT\nproject moving to the next project phase. Milestone reviews are of special importance because\nthe FDIC includes a large number of IOs that need visibility into key aspects of IT projects to\nmake sure that the concerns they represent are addressed adequately. All IOs are invited to\nmilestone reviews that determine whether the project should be allowed to move forward to the\nnext phase. Most of the officials we interviewed reported that they were satisfied with the\noverall milestone review process. However, we received a number of comments that the\nmilestone review process could be enhanced to be more effective and facilitate the project\ntransition from one RUP phase to the next.\n\nFDIC RUP guidelines for conducting milestone reviews at each of the RUP phases include\nspecific discussion points pertaining to accomplishments; risks mitigated, accepted, and\noutstanding; preparedness to continue to the next RUP phase; deployment strategy (for the\nTransition phase); and concurrence. The RUP guidelines also include suggested clarifying\nquestions that reviewers may wish to cover during milestone reviews. Figure 2 presents rules of\nengagement for conducting milestone reviews.\n\n\n\n\n                                                 16\n\x0cFigure 2: Milestone Review Meeting Rules of Engagement\n \xef\x82\xb7    The agenda is provided in advance and at the meeting. Attendance will be recorded.\n \xef\x82\xb7    The DIT Project Manager is solely responsible for running the meeting and tailoring the structure to meet\n      the specific needs of the project.\n \xef\x82\xb7    The DIT Project Manager is responsible for ensuring that minutes will be kept, circulated for approval\n      afterward, and posted.\n \xef\x82\xb7    No conditional approvals will be issued.\n \xef\x82\xb7    Identification of action items during the meeting may require project plan revisions, and the project may not\n      be approved to move to the next RUP phase. In such cases, a second, reduced scope milestone review must\n      be conducted.\n \xef\x82\xb7    Silence and non-participation equate to support and consent to proceed.\n \xef\x82\xb7    Sufficient advance notice will be given to target attendees to permit appropriate participation.\n \xef\x82\xb7    In the case of scheduling conflicts, target attendees may send alternates; alternates must agree to these rules\n      of engagement.\nSource: DIT Web site, Milestone Review Playbook.\n\nAs shown, the guidelines state that the project manager is responsible for ensuring that minutes\nare kept and circulated for approval following the milestone review. However, minutes were not\navailable on any of the projects included in our sample. The only documentation DIT provided\nwere PowerPoint presentation slides from the milestone review meetings. Therefore, we could\nnot evaluate the depth of questions and answers discussed during any of the milestone reviews\nfor the projects included in our evaluation. Circulation of minutes to milestone review\nparticipants helps to reinforce meeting expectations and action items due and to confirm meeting\ndiscussion points.\n\nImproving the Intersecting Organization Approval Process. Project managers told us that\none of the most frustrating aspects of the milestone review is the IO approval process. Project\nmanagers begin preparing for the milestone review about 1 month prior to the formal meeting.\nProject managers hold meetings with the IO managers during which they discuss the RUP phase\nand project accomplishments and provide documentation supporting that the phase has been\ncompleted. The IOs then indicate their approval via e-mail or signature that the project may\nmove to the next RUP phase. A few of the project managers we spoke with said that the\nprocedure for obtaining approval from the IOs needs to be revised because it often requires\nrepeated attempts to get the IOs to respond. FDIC RUP guidance on the Transition phase\nmilestone review provides questions related to coordination with IOs, including which IOs need\nto be involved in system deployment readiness, level of IO participation, whether the project\nteam has shared information with IOs, and whether IOs are fully informed of the system\ndeployment and concur with moving forward.\n\nIn addition, many of the project managers we spoke with felt that the IOs should be required to\nattend the milestone review meeting. Although the guidelines for milestone reviews indicate that\nall IOs are invited to the milestone review meeting, we heard from multiple project managers\nthat often there is not a representative from all IOs at milestone review meetings. For example,\nthe Inception phase of product development includes defining project scope and identifying\ntechnical challenges. Officials we interviewed on one of the projects in our sample stated that, in\nhindsight, they considered both the Inception and Elaboration milestone reviews as being rushed.\nThey felt that the project should not have been permitted to move from the Inception to the\nElaboration phase because there had not been adequate discussion and interaction by the\n\n                                                         17\n\x0ccontractor with the IOs regarding the FDIC\xe2\x80\x99s IT environment. We did not note any guidance\nrequiring IOs or IO representatives to attend milestone review meetings.\n\nProject managers also explained there were no questions during the milestone review about\nwhether the solution would work in the FDIC\xe2\x80\x99s technical environment. Other officials\nassociated with this project stated that that they felt the Elaboration milestone review was rushed\nas well. They felt that more discussion and preparation with the IOs might have identified issues\nrelated to the FDIC\xe2\x80\x99s technical environment prior to completing the Elaboration phase.\nSubsequently, this project encountered numerous challenges due to the contractor\xe2\x80\x99s lack of an\nadequate understanding of the FDIC\xe2\x80\x99s technical environment. It was suggested that greater IO\nparticipation in both the Inception and Elaboration milestone reviews may have altered the\ndecision for the project to be approved for the next phase. We noted that the FDIC\xe2\x80\x99s RUP\nguidelines recommend confirming that infrastructure impacts, such as bandwidth, storage, etc\xe2\x80\xa6\nhave been identified and communicated. In addition, the Transition milestone review guidelines\nrecommend discussion of whether the Physical Configuration Review (i.e., hardware, software\ncomponents, operating system, configuration files) has been completed to verify that the quality\nassurance staging environment matches the target production environment.\n\nMaking Milestone Reviews Meaningful and Comprehensive. We also received comments\nthat the overall milestone review process should be more comprehensive. Officials we\ninterviewed told us that the manner in which milestone reviews are conducted is geared more\ntowards making sure the required paperwork is completed than actually ensuring that the goals of\nthe RUP phase have been successfully completed. They further noted that while questions are\nraised at the milestone review meeting, participants do not sufficiently explore project details.\nMany managers use checklists to ensure all requirements are documented, but there is not\nenough done to evaluate the adequacy of the project as a whole. One project manager who was\nassigned to a project during the Construction phase explained that, in her opinion, the contractor\nwas not following the RUP methodology as required because the Elaboration phase was not\ncompleted when Construction began. The project manager did not understand how the project\nmade it through the Elaboration milestone review and said that, had the Elaboration phase been\nproperly completed, many of the issues that plagued the project may not have occurred. As\ndiscussed earlier, the FDIC RUP Web site includes specific guidelines for discussing project\naccomplishments, risks, and preparedness for continuing to the next phase, to be used in\nmilestone review meetings.\n\n\nHaving a Well-Informed and Fully-Dedicated Testing Team\nThe quality of user testing is an important factor that facilitates successful IT project\nmanagement. This is especially critical when employing the RUP and Agile methodologies\nbecause testing occurs throughout the project lifecycle. Agile testing has been referred to as the\nheadlights of the project because it shows the project manager where the project is and where it\nis headed. Testing provides information to the project\nmanager from which critical development decisions are          Agile development recognizes that testing is\n                                                               not a separate phase, but an integral part of\nmade so that the ability to test the software drives the IT software development.\ndevelopment. FDIC personnel involved in the testing\n\n                                                     18\n\x0cprocess and project managers explained that the quality of the testing process significantly\ninfluences whether or not the project will meet milestones and users\xe2\x80\x99 expectations. We also\nobserved that the feedback we received from testing participants as to their level of satisfaction\nwith the testing process matched the overall level of project success indicated to us by the project\nmanagers.\n\nAnother key principle for business-driven development is focusing on continuous quality. This\nmeans that quality must be addressed throughout the project lifecycle through iterative testing.\nProject teams should test early and continuously throughout the system development effort. All\nproject members should \xe2\x80\x9cown\xe2\x80\x9d quality and design the system and write code with testing in\nmind. Testing should be expanded as part of each software iteration and should include\nregression testing to make sure that defects are not introduced as new iterations add\nfunctionality.\n\nSelecting the Right Users to Test the Solution. Project managers told us that the quality of\ntheir user testing team contributed to the level of success on the project. It was critical for the\ntesting team to include subject matter experts familiar with the program area for which the\napplication was being developed and an adequate number of testing participants.\n\nOne project manager attributed successful project completion primarily to the exceptional efforts\nof the testing participants. The project manager indicated that the testing participants wrote their\nown test scripts, decided the test schedule, and met daily during user acceptance testing. The\ndeveloper was able to correct all deficiencies on schedule due to the excellent work of the testing\nteam. A contractor on this project said organization of the testing teams facilitated the\ncontractor\xe2\x80\x99s work on the project. On other projects, the project managers told us that because of\nthe dedicated work of the testing teams, errors were caught early in development and were\nquickly corrected.\n\nTraining Team Members on the Agile Testing Process. Testing participants that received\ntraining on the Agile testing process prior to project testing generally had positive comments\nregarding the project. They explained that it is\nimportant for testers to receive training so that they Federal Challenges in Applying Agile\n                                                          A 2012 Government Accountability Office (GAO)\nunderstand that the testing and retesting process is      report (GAO-12-681) noted several challenges\nnormal during Agile development. In those                 that agencies face in implementing Agile.\ninstances when the testing process encountered            \xe2\x80\xa2 Teams had difficulty collaborating closely.\nproblems, those individuals we interviewed                \xe2\x80\xa2 Teams had difficulty transitioning to self-\n                                                             directed work.\nindicated it was because team members                     \xe2\x80\xa2 Staff had difficulty committing to more timely\nparticipating in the testing process had not been            and frequent input.\ntrained on the Agile methodology. As defects were \xe2\x80\xa2 Agencies had trouble committing staff to Agile\n                                                             development efforts.\nrepeatedly encountered, the team members became\n                                                          \xe2\x80\xa2 Customers did not trust iterative solutions.\nfrustrated with the overall testing process.              \xe2\x80\xa2 Teams had difficulties managing iterative\nFrustration with Agile testing is likely if testing          requirements.\nparticipants do not understand how the system is\n                                                          FDIC and contractor officials we interviewed\nbeing developed iteratively and are expecting a fully expressed some of these same concerns.\nfunctional system when testing is initiated.\n\n\n\n                                                    19\n\x0cThe majority of negative comments we received from testers occurred when they felt they had\nnot been provided adequate instruction prior to the testing process. Comments from these testing\nparticipants included complaints that they had not been adequately prepared for the process,\ntesting took too long, there were too many errors, the test scripts did not work, and they did not\nunderstand what happened to the defects they reported because nothing ever seemed to work as\nexpected. These testers appeared to be frustrated with the process and complained that it\ndetracted from their primary assignments. Because they had not been adequately prepared for\nthe time requirement and did not understand the Agile testing process, these testing participants\nhad a negative view of the IT project and were not enthusiastic about their involvement.\n\nWe noted that FDIC\xe2\x80\x99s RUP Web site includes information about computer-based instruction\ncourses available through FDICLearn. RUP-related course titles include Breaking the Work Up:\nIterative Development Overview and Software Requirements Specification Overview.\n\nDedicating Team Members and Maintaining Continuity. Testers should also be adequately\nprepared for the time commitment required when assigned to project development testing. This\nis especially important under the Agile methodology because the software is modified based on\nusers\xe2\x80\x99 feedback. Those testing teams that were made aware of the time requirement and how\ntheir testing work affected the project development reported a positive testing experience. They\nindicated that while the testing process might become tedious at times, they understood the\nimportance of their work and appreciated that they had the opportunity to be a part of the project\ndevelopment.\n\nProject managers for one of the projects in our sample told us that having a consistent team of\ntesting participants would have greatly facilitated the project development. The ability of FDIC\ndivisions or offices to have a designated testing team varies due to the division or office\xe2\x80\x99s work\nrequirements and resources. For example, the workload of Division of Resolutions and\nReceiverships (DRR) staff may fluctuate significantly due to the number of bank closings and\nrelated activities required of DRR staff. Where dedicating a consistent team of testing\nparticipants is not possible, ensuring that testing participants are fully briefed on the testing\nprocess and time requirements so that they understand the importance of their work and properly\nplan their involvement is a critical component of IT project management.\n\n\nAssigning an Independent Risk Manager to Projects\nEffectively managing and mitigating IT project risks is a key tenet of the RUP and Agile\nmethodologies. Risks exist within each RUP phase that should be fully addressed before the IT\nproject team begins work on the next phase. The project managers we interviewed agreed that\nwhen risks are not properly mitigated, especially before moving from the Elaboration phase to\nthe Construction phase, problems are likely to arise that will delay the project.\n\nThe FDIC RUP Web site discusses essential elements of RUP, including mitigating risks and\ntracking related issues. The Web site notes that it is essential to identify and attack the highest\nrisk items early in the project. The risk list is intended to capture the perceived risk to the\nsuccess of the project. Along with each risk should be a plan for mitigating that risk.\n\n                                                 20\n\x0cAssigning Independent Risk Managers to All Major Projects. Under the RUP methodology,\nthe contractor\xe2\x80\x99s project team should include a risk manager who tracks potential project risks and\nmonitors the project\xe2\x80\x99s progress in mitigating risks. In addition to the contractor\xe2\x80\x99s Risk Manager,\nCMCB provides an Independent Risk Manager (IRM) for all CIRC projects and other major\nprojects as needed. Four of the IT projects in our sample included an IRM. Project managers\nprovided very positive feedback regarding the\nIRM\xe2\x80\x99s participation on their projects. Officials      IT Project Team Member Comments About IRMs\nwe interviewed stated that an IRM facilitates IT      \xe2\x80\x9cAn IRM is very beneficial, especially when you have\nproject management by focusing on risk                an IT project that crosses numerous divisions.\xe2\x80\x9d\nidentification, providing a different perspective\n                                                      \xe2\x80\x9cIRMs have a different perspective from outside the\nof risks based on factors outside the project and     project that I came to appreciate.\xe2\x80\x9d\nacross many projects at once, and ensuring\nmitigation of risks in a timely manner. One contractor manager we spoke with indicated that\nhaving an IRM was pivotal to the success of the project and recommended that one should be\nassigned to IT projects estimated to last over 1 year. Others managers offered that the IRM\xe2\x80\x99s\nability to provide an independent perspective reduces the \xe2\x80\x9cfinger pointing\xe2\x80\x9d among the client,\nDIT, and the contractor. Project managers agreed that it is important for the IRM to be included\nin all meetings and have a full view of the project. Some also felt that the IRM did not need to\nbe an IT expert but more of a risk expert that knows what issues need to be considered that might\nnot be evident to the project team.\n\nEnsuring IRM Concerns Are Addressed. Although officials we interviewed provided this\npositive feedback, we were advised that the concerns of the IRM were not always mitigated in a\nmanner that fully addressed the intent of the risk identified. On one of the projects in our\nsample, even though the IRM noted many risks early on in the project, the IRM felt that the\nproject managers worked to dismiss the concerns raised instead of working to address IRM\nconcerns. As the IT project moved to the Construction phase of the project, it encountered\nnumerous delays and challenges. During a lessons learned session at the completion of the\nproject, IT managers concurred that had the concerns of the IRM been properly addressed, some\nof the challenges the project experienced may have been averted.\n\nAmong the reasons given for two of the IT projects in our sample that experienced significant\ndelays and challenges is that the RUP Elaboration phase objectives had not been fully completed\nbefore the project team began work on the Construction phase. As a result, significant risks were\nnot identified prior to building the project and when they came to light, the project needed to be\nreworked. In hindsight, project managers believed that had the concerns of the IRM been given\ngreater consideration, these risks may have been identified and perhaps mitigated earlier in the\nproject development.\n\n\nConclusion and Recommendation\n\nOur interviews and analysis led us to identify a number of key factors that can either make or\nbreak an IT project. Three of the six projects we sampled experienced significant delays, in part,\nbecause factors discussed in this report were not fully addressed. These same factors, however,\nwere equally important to those projects that were completed on time, within budget, and\nconsistent with requirements. Not surprisingly, these factors involved project planning,\n                                                   21\n\x0cunderstanding the IT environment, collaborating across teams, asking the right and difficult\nquestions at key milestones, engaging subject matter experts, and addressing project risks early\nand head-on.\n\nAccordingly, we recommend that the Acting CIO:\n\n(1) advise client division and offices, IT project teams, DIT intersecting organizations, and\nappropriate governance bodies of the key factors in project success or challenges and related\ncontrols we identified in this report and (2) determine whether guidance in any of these areas\nneeds to be strengthened. The most notable factors and issues include:\n\n       \xef\x82\xb7   Considering all available IT solutions during the Inception phase;\n\n       \xef\x82\xb7   Documenting, assessing, and communicating the complexity of a proposed IT\n           solution to appropriate parties to ensure that contractor resources and milestones are\n           commensurate with requirements;\n\n       \xef\x82\xb7   Ensuring the development team completely understands the FDIC\xe2\x80\x99s technical and\n           operational IT environment, and development occurs within that environment;\n\n       \xef\x82\xb7   Ensuring consistent collaboration among all those involved in the project and that\n           contractors communicate and coordinate with the FDIC\xe2\x80\x99s IOs early and often;\n\n       \xef\x82\xb7   Facilitating IO approval for projects to move to the next RUP phase and their\n           participation in milestone review meetings;\n\n       \xef\x82\xb7   Ensuring milestone reviews fully explore the adequacy of the work performed and\n           that all risks are properly mitigated prior to RUP milestone approval, including those\n           identified by the IRM;\n\n       \xef\x82\xb7   Establishing dedicated IT project testing teams that are fully briefed on the testing\n           process and anticipated timeframes; and\n\n       \xef\x82\xb7   Ensuring there is an awareness of the Agile approach to system development and its\n           impact on implementing and measuring the progress and value of IT projects.\n\n\nCorporation Comments and OIG Evaluation\nThe Acting CIO provided a written response, dated June 25, 2014 to a draft of this report. The\nresponse is presented in its entirety in Appendix 5. In the response, the Acting CIO concurred\nwith the report\xe2\x80\x99s recommendation and described completed and planned corrective actions to\naddress the recommendation. A summary of the Corporation\xe2\x80\x99s corrective actions is presented in\nAppendix 6. The completed or planned actions are responsive to the recommendation, and the\nrecommendation is resolved.\n\n\n                                                22\n\x0c                                                                                                    Appendix 1\n\n                     Objective, Scope, and Methodology\nObjective\n\nThe objective of the evaluation was to (1) assess the extent to which the FDIC\xe2\x80\x99s IT projects are\nmeeting their cost, schedule, and requirements expectations; (2) identify factors that promote\nproject success or prevent projects from meeting expectations; and (3) identify opportunities for\nstrengthening the FDIC\xe2\x80\x99s controls for monitoring IT projects.\n\nWe conducted this evaluation from April 2013 through February 2014 in accordance with the\nCouncil of the Inspectors General on Integrity and Efficiency\xe2\x80\x99s Quality Standards for Inspection\nand Evaluation. We performed our evaluation work at the FDIC\xe2\x80\x99s offices in Arlington, Virginia\nand Dallas, Texas.\n\nScope and Methodology\n\nTo address our evaluation objectives, we first gained an understanding of the FDIC\xe2\x80\x99s IT project\nmanagement governance structure and processes, including internal controls for monitoring and\nreporting on the FDIC\xe2\x80\x99s IT projects by reviewing relevant policies and procedures; interviewing\nDIT officials, program office officials, and members of the CIO Council. We also observed a\nnumber of CIO Council meetings to understand how the statuses of on-going FDIC IT projects\nare reviewed. Our evaluation objectives did not require that we evaluate whether the FDIC\xe2\x80\x99s IT\nproject management controls were properly designed or require that we gain an understanding or\ntest information system controls. Further, our evaluation objectives did not require that we\nspecifically test the implementation of internal controls or effectiveness of controls except to the\nextent we considered the effectiveness or implementation of controls in assessing factors that\npromote project success or prevent projects from meeting expectations. As explained below, we\nreviewed documentation for a sample of IT projects to understand the extent of documentation\nand not to specifically test compliance with policies and procedures and other controls.\n\nFigure 3: Summary of FDIC Policies and Procedures and IT Governance Documents\n\n         FDIC Directives and DIT Policy                           FDIC IT Governance Documents\n FDIC Capital Investment Policy, dated September 23,        CIO Council Governance Guidelines, adopted revision\n 2011.                                                      on November 15, 2012.\n\n FDIC Circular 1303.1, FDIC Enterprise Architecture         CIO Council Charter, revised and adopted on\n Program, dated June 16, 2008                               September 6, 2012.\n\n Policy 07-005 Systems Development Life Cycle               Charter of the Capital Investment Review Committee\n (SDLC), dated June 15, 2007.                               (CIRC), revised and adopted on October 2011.\n\n Policy 09-004 Information Technology Project               Charter for the FDIC Financial Analysis Committee\n Management (Project Management Office), dated              (FAC), adopted on May 2007.\n December 28, 2009.\n                                                            Charter of the DIT Project Initiation Review Committee\n Policy 09-006 DIT Earned Value Management (EVM),           (PIRC), effective February 26, 2006.\n dated May 1, 2009.\nSource: OIG analysis of FDIC directives, DIT policy, and IT governance documents.\n\n\n\n\n                                                       23\n\x0c                                                                                                 Appendix 1\n\nTo assess the extent to which the FDIC\xe2\x80\x99s IT projects are meeting their cost, schedule, and\nrequirements expectations, we obtained CIO Council and CIRC reports on IT projects completed\nor in-process during 2012 and 2013. We focused on that defined period because it provided us a\nsufficient population from which to evaluate current IT project management practices and\nprocesses.\n\nTo identify factors that contributed to a project\xe2\x80\x99s success or difficulties, we took a case study\napproach. To that end, we judgmentally selected six projects for review from FDIC\xe2\x80\x99s inventory\nof IT projects completed or in-process as of December 31, 2012. The results of a non-statistical\nsample cannot be projected to the intended population by standard statistical methods. In\nselecting projects, we included both CIRC and CIO Council projects and projects from a cross-\nsection of FDIC divisions and offices. We also took into consideration factors such as whether\nthe project management method employed the Agile methodology; estimated cost; the\ncontractor engaged to work on the project; and the current project status, including the extent of\nany known problems or positive attributes. Table 5 summarizes key information about each of\nthe projects in our sample, including our reason for selecting the project.\n\nTable 5: Summary of Projects Sampled\n                                                       Actual or\n                                                       Projected          Division\n     IT Project Name           Project Status          Total Cost         Sponsor         Reason for Selection\nAdvanced Legal                Construction              $4.7 million    Legal Division   \xef\x82\xb7 Legal Division\nInformation System (ALIS)                                                                   project\n                                                                                         \xef\x82\xb7 TechStat performed\nAssessment Information        Completed with            $7.8 million        DOF          \xef\x82\xb7 DOF project\nManagement System             update in process                                          \xef\x82\xb7 Strong user\n(AIMS)                                                                                      acceptance testing\nClaims Administration         Construction              $3.6 million        DRR          \xef\x82\xb7 DRR project\nSystem (CAS) 2.0                                                                         \xef\x82\xb7 High Profile\n                                                                                         \xef\x82\xb7 Issues reported in\n                                                                                            prior versions\nExamination Tools Suite-      Construction               $35 million    Division of      \xef\x82\xb7 CIRC Portfolio\nSupervisory Application                                                    Risk          \xef\x82\xb7 RMS Project\nGenerating Exams                                                        Management       \xef\x82\xb7 Agile methodology\n(ETS-SAGE)                                                              Supervision         used\n                                                                          (RMS)\nIdentity Access               Completed                      $950,000      DIT           \xef\x82\xb7   Complex project\nManagement System                                                                        \xef\x82\xb7   Cost overruns and\n(IAMS)                                                                                       milestone delays\nPROFORMA                      Construction              $2.7 million        DRR          \xef\x82\xb7   Bank Closing Tool\n                                                                                         \xef\x82\xb7   Agile methodology\n                                                                                             used\n                                                                                         \xef\x82\xb7   Project management\n                                                                                             issues reported\nSource: OIG analysis of DIT status reports and Projects at a Glance.\n\nFor the IT projects selected, we performed the following procedures.\n\n    \xef\x82\xb7   Reviewed RUP documentation to understand the purpose of the project and assess how it\n        was being managed relative to an approved project proposal and the FDIC\xe2\x80\x99s overall IT\n\n                                                        24\n\x0c                                                                                     Appendix 1\n\n       project management framework. RUP documentation reviewed included project plans,\n       configuration architecture, measurement analysis plans, software architecture plans,\n       iteration assessments, milestone review presentations, budget proposal outlines, risk lists,\n       schedule status reports, quality control strategies, risk management plans, system security\n       plans, requirements vision, and master test plans. We did not assess whether the\n       applications were adequately designed or specifically review RUP documentation to test\n       whether development policies, procedures, and guidance had been properly implemented.\n\n   \xef\x82\xb7   Interviewed personnel in RMS, DRR, DOF, DIT, Division of Administration, and the\n       Legal Division who were responsible for IT project management, risk management, and\n       user testing to obtain their perspectives on project management, development practices,\n       testing practices, and user expectations. We also interviewed FDIC contractor personnel\n       who serve as project managers and DIT personnel in the Delivery Management Branch\n       and Program Management Office. In these interviews, we solicited individual views\n       about the factors that contributed to the project\xe2\x80\x99s success or prevented the project from\n       meeting expectations and ideas for strengthening the FDIC\xe2\x80\x99s controls for monitoring IT\n       projects, and analyzed responses to identify common themes or outlier comments that\n       warranted follow-up.\n\nTo help us identify opportunities for strengthening the FDIC\xe2\x80\x99s controls for monitoring IT\nprojects, in addition to discussions with FDIC personnel and FDIC contractor personnel, we\nreviewed industry guidance. Specifically, we reviewed the following:\n\n   \xef\x82\xb7   Intel Information Systems Audit and Control Association (ISACA) publication,\n       COBIT 5: A Business Framework for the Governance and Management of Enterprise IT,\n       dated 2012. This publication contains five basic principles for governing and managing\n       enterprise IT.\n\n   \xef\x82\xb7   Executive Office of the President of the United States, 25 Point Implementation Plan to\n       Reform Federal Information Technology Management, date December 9, 2010. This\n       plan covers the structural areas that impact the success rates of large IT programs across\n       government.\n\n   \xef\x82\xb7   Global Technology Audit Guide (GTAG) 12: Auditing IT Projects, dated March 2009.\n       This GTAG provides internal auditors with an overview of techniques for effectively\n       engaging with project teams and project management offices (PMOs) to assess the risks\n       related to IT projects.\n\n   \xef\x82\xb7   Global Technology Audit Guide (GTAG) 17: Auditing IT Governance, dated July 2012.\n       This GTAG covers aspects of governance that should be in place to ensure IT supports\n       the strategies and objectives of the organization, describes elements of effective\n       governance and performance frameworks, and describes example controls that address IT\n       governance risks.\n\n\n\n\n                                                25\n\x0c                                                                                         Appendix 2\n\n                                         Glossary\n            Term                                              Definition\nAgile                        A group of software development methods based on iterative and\n                             incremental development, where requirements and solutions evolve\n                             through collaboration between self-organizing, cross-functional teams.\nBasic Ordering Agreement     A written instrument of understanding negotiated between the FDIC and\n                             a contractor for future delivery of as yet unspecified quantities of goods\n                             or services. A BOA becomes a binding contract when a task order is\n                             issued.\nBusiness Outcome Index       An index developed by the FDIC PMO to summarize the current state of\n                             DIT\xe2\x80\x99s ability to deliver business outcomes with CIO Council projects.\nBusiness Proposal Outline    A template tool used by the CIO Council for making informed decisions\n                             related to the selection of FDIC CIO Council IT projects on a yearly\n                             basis.\nDeployment Plan              A deployment plan defines the sequence of operations or steps that must\n                             be carried out to deliver changes into a target system environment.\nDodd-Frank Wall Street       The Dodd-Frank Act (Public Law No. 111-203) enacted July 21, 2010,\nReform and Consumer          contains many provisions affecting the FDIC and its regulatory\nProtection Act (Dodd-        authorities over banks and the financial services industry. Certain of\nFrank Act)                   those provisions affect how the FDIC calculates assessments on insured\n                             depository institutions.\nIntersecting Organizations   FDIC Intersecting Organizations are DIT and other FDIC groups that\n                             projects interact with during a project's lifecycle.\nProject Proposal Outline     A governance document that documents high-level elements of a\n                             contemplated project in order to support decisions on funding and timing.\n                             The Project Proposal Outline provides a good basis for development of a\n                             project's vision.\nRational Unified             A comprehensive process framework that provides industry-tested\nProcess\xc2\xae (RUP)               practices for software and systems delivery and implementation and for\n                             effective project management. RUP\xc2\xae is the standard systems\n                             development methodology used by DIT for the IT projects it manages.\nRisk List                    A document maintained by the Risk Manager of potential IT development\n                             risks to be addressed. The list includes mitigating tasks to be completed\n                             for each identified risk.\nSoftware Development         The Software Development Plan is a comprehensive, composite\nPlan                         document that gathers all information required to manage the project. It\n                             includes a number of documents developed during the Inception phase\n                             and is maintained throughout the project.\nSystem Development Life      The overall process of developing, implementing, and retiring\nCycle (SDLC)                 information systems through a multistep process from initiation, analysis,\n                             design, implementation, and maintenance to disposal.\nTechnical Evaluation Panel   A panel of FDIC employees established to evaluate the written proposals\n                             for compliance with the solicitation\xe2\x80\x99s technical requirements and the\n                             evaluation criteria established in the solicitation for formal contracting.\nTechStat                     A TechStat is an evidence-based review of an IT investment typically\n                             requested by the governing IT committee when a project is\n                             underperforming. It is based on a model developed by OMB.\n\n\n\n                                                 26\n\x0c                                                                                  Appendix 3\n\n                     Acronyms and Abbreviations\nAcronym / Abbreviation                                 Explanation\nAIMS                     Assessment Information Management System\nALIS                     Advanced Legal Information System\nBOI                      Business Outcome Index\nCAS                      Claims Administration System\nCIO                      Chief Information Officer\nCIRC                     Capital Investment Review Committee\nCM                       Corporate Management Council\nCMCB                     Corporate Management Control Branch\nDIT                      Division of Information Technology\nDOF                      Division of Finance\nDRR                      Division of Resolutions and Receiverships\nETS-ALERT                Examination Tools Suite - Automated Loan Examination Review Tool\nETS-SAGE                 Examination Tools Suite - Supervisory Application Generating Exams\nGAO                      Government Accountability Office\nIAMS                     Identity Access Management System\nIO                       Intersecting Organization\nIRM                      Independent Risk Manager\nIT                       Information Technology\nOIG                      Office of Inspector General\nOMB                      Office of Management and Budget\nPIR                      Project Initiation Review\nPMO                      Program Management Office\nPROFORMA                 Proforma Modernization\nRMS                      Division of Risk Management Supervision\nRUP                      Rational Unified Process\xc2\xae\nSDLC                     System Development Life Cycle\n\n\n\n\n                                             27\n\x0c                                                                                    Appendix 4\n\n       Summaries of IT Projects Included in the Evaluation\nAdvanced Legal Information System (ALIS)\n\nALIS will be the key system the FDIC\xe2\x80\x99s Legal Division uses to manage matters and invoices\nfrom outside counsel firms and legal support services contractors. ALIS will replace the current\nLegal Integrated Management System by upgrading the foundational software from Corporate\nLegal Desktop to Passport. The contractor will externally host Passport.\n\nThe CIO Council ordered a TechStat assessment in July 2012, as the ALIS project was\nsignificantly behind in milestone schedules and over budget. The TechStat reported that ALIS\nwas originally planned to be completed by first quarter 2012 at a cost of approximately\n$1.7 million. As of the TechStat report date of August 2012, ALIS was scheduled to go live on\nFebruary 4, 2013 at a total cost of approximately $3.4 million. The TechStat assessment\nconcluded ALIS was unlikely to meet the schedule and budget estimates presented to the CIO\nCouncil based on past performance and the current challenges. The TechStat reported that:\n\n   \xef\x82\xb7    ALIS was a major overhaul and not an upgrade.\n\n   \xef\x82\xb7    Inconsistent understanding of \xe2\x80\x9ccomplete\xe2\x80\x9d existed between the FDIC and the contractor.\n\n   \xef\x82\xb7    Insufficient project detail existed to reliably predict outcome.\n\n   \xef\x82\xb7    Regular development and configuration issues existed.\n\n   \xef\x82\xb7    Ineffective communication occurred between stakeholders, DIT, and the contractor.\n\n   \xef\x82\xb7    Unresolved contractual disputes existed.\n\nThe TechStat Assessment suggested that the Legal Division and DIT consider taking a number\nof corrective actions, including:\n\n   \xef\x82\xb7    Ensuring alignment of personnel skills with current challenges;\n\n   \xef\x82\xb7    Simplifying and streamlining coordination-related activities;\n\n   \xef\x82\xb7    Conducting all-hands-on-deck workshops to state, clarify, and confirm requirements for\n        DIT, Legal, and the contractor; agree on criteria for determining \xe2\x80\x9ccomplete;\xe2\x80\x9d identify and\n        address remaining risks; and implement an effective communication strategy;\n\n   \xef\x82\xb7    Developing concrete Go/No Go criteria;\n\n   \xef\x82\xb7    Conducting a thorough Market Analysis, if called for;\n\n   \xef\x82\xb7    Performing a Cost Benefit Analysis, if called for;\n\n\n\n                                                 28\n\x0c                                                                                    Appendix 4\n\n\n   \xef\x82\xb7   Ensuring the charters and associated responsibilities of the existing governance bodies\n       were being met; and\n\n   \xef\x82\xb7   Inviting additional expertise to governance boards, including the CFO and a DOF Deputy\n       Director.\n\n\nALIS ultimately was completed on August 13, 2013 at a total cost of $4,706,590.\n\nAt the project close-out briefing on October 24, 2013, DIT and the Legal Division presented\nlessons learned to the CIO Council. Lessons learned included that:\n\n   \xef\x82\xb7   Detailed analysis should have been performed to assess project characteristics beginning\n       with project planning and continuing through the first two RUP phases.\n\n   \xef\x82\xb7   ALIS was initially categorized as an upgrade of commercial off-the-shelf software, which\n       did not account for the data conversion and migration activities combined with the\n       custom development of 27 interfaces.\n\n   \xef\x82\xb7   The project team should have immediately and appropriately addressed concerns of the\n       Independent Risk Manager.\n\n   \xef\x82\xb7   The FDIC Contracting Officer should have been involved when issues such as contractor\n       staff turnover and delivery of quality products with contractors first arose.\n\n   \xef\x82\xb7   The Data Manager should have spearheaded data scrubbing activities earlier which may\n       have resulted in the timely completion of data migration and fewer reported defects once\n       ALIS went \xe2\x80\x9clive.\xe2\x80\x9d\n\n\nAssessment Information Management System (AIMS)\n\nAIMS enables the FDIC to comply with statutes mandating the FDIC to assess and invoice\nfinancial institutions for deposit insurance premiums that provide the income for the Deposit\nInsurance Fund. Using AIMS, FDIC manages the assessments process by performing operations\nthroughout the year in support of the quarterly assessment cycle and other special assessment\ncycles. The assessments must be 100 percent accurate and delivered on time, every time.\nChanges mandated by the Dodd-Frank Act and FDIC regulations that became effective in 2011\ndirectly impacted the FDIC Assessment Program and required unanticipated modifications to the\nAIMS system to address technology obsolescence risks and to revise the AIMS method for\ncalculating assessments.\n\nThe end results of AIMS development met the DOF user, stakeholder, and manager expectations\nbecause the stakeholders or users were involved in daily meetings during AIMS development\nand design and reviewed and performed test scripts. A key to AIMS\xe2\x80\x99 success was that there was\n100-percent staff involvement from DOF\xe2\x80\x99s Assessments Branch. The staff wrote their own test\n\n                                               29\n\x0c                                                                                   Appendix 4\n\nscripts, decided the test schedule, and met daily during user acceptance testing. Defects found\nduring testing were corrected before the release. DOF personnel handled the Testing Phase with\nvery little support from the contractor or DIT. Another success factor was that DOF and DIT\nensured that the contractor maintained the same IT project management team throughout a\nnumber of releases.\n\nThe most challenging aspect of AIMS development was the contractor coordinating work with\nthe FDIC\xe2\x80\x99s IOs involved in the project. Because one of the IOs disagreed with the AIMS\nsystems development approach (total rewrite versus enhancement), this IO refused to sign off on\nmilestone reviews. AIMS was never provided the resources to perform a total rewrite because\nproject performance had to meet the criteria and deadlines in the Dodd-Frank Act legislation.\n\n\nClaims Administration System (CAS)\n\nThe purpose of CAS is to have a flexible process that will support deposit claims datasets from\nboth large and small financial institutions, decrease the amount of manual work done by Claims\nAgents and the Business Information Systems staff, and enable the FDIC to handle the closing of\na financial institution of any size. DRR uses CAS to determine deposit insurance amounts and to\nprocess deposit insurance claims when a financial institution fails. CAS 2.0 is a technology\nupgrade to implement systems changes that will lead to improvements in the maintainability and\nstability of the CAS application, reduce DIT maintenance costs, and provide for a more efficient\nand intuitive user interface.\n\nCAS 2.0 development met milestones and expectations due to the excellent communication and\ncollaboration between DRR, DIT, and the contractor. Other reasons for CAS development\nsuccess included: DRR designating a team of users to be testers on the system throughout\ndevelopment; priority and support from client organization management; and an experienced\nDIT project manager. Challenges experienced were largely due to contractor staff turnover.\nStakeholders generally reported that CAS development went well and that CAS met\nexpectations.\n\n\nExamination Tools Suite-Supervisory Application Generating Exams (ETS-SAGE)\n\nThe objective of the ETS IT project is to replace prior RMS examination reporting tools and\ntransmittal forms and revitalize and simplify the examination process for both examiners and\nreviewers. The program introduces wireless onsite networks that will enhance security and\naccuracy of shared examination data in the bank. ETS was developed by examination staff for\nuse by examination staff. ETS is expected to: (1) increase efficiency and reduce maintenance\nexpenses by reducing technical complexity and by reducing the number of systems RMS\nexaminers must use to perform their jobs; (2) eliminate data redundancy and duplicative data\nentry; (3) improve ease of access, reporting, and data accuracy by improving on and eliminating\nthe examiner download process, enhancing the Report of Examination review process, and\nimproving RMS\xe2\x80\x99 Automated Loan Examination Review Tool\xe2\x80\x99s (ALERT) import and mapping\nprocesses; (4) reduce risk to and improve the security of examination data; and (5) reduce risk\nfrom technological obsolescence.\n\n                                              30\n\x0c                                                                                    Appendix 4\n\n\n\nDuring our review, ETS SAGE was meeting users\xe2\x80\x99 expectations. Because the project team\ndeveloped ETS-SAGE after ETS-ALERT development, they had the benefit of lessons learned\nfrom the ETS-ALERT\xe2\x80\x99s Inception and Elaboration phases. The FDIC changed contractors after\nETS-ALERT\xe2\x80\x99s Inception phase. This change challenged the replacement contractor team as\nthere was insufficient time for the knowledge transfer between the original and replacement\ncontractor teams. The stakeholders and managers all reported that the Agile software\ndevelopment methodology was well-suited for this type of project and that it was critical to the\nproject\xe2\x80\x99s success. DIT\xe2\x80\x99s PMO personnel provided valuable support to the project and acceptance\nof the Agile methodology. During our evaluation, the SAGE and ALERT projects were\ncombined.\n\nWe were informed after our interviews on the ETS-SAGE project that the contractor was not\naware of the complexity of the project and DIT had some difficulties preparing the testing\nenvironments. Also, it had been determined that although the IT solution worked when the\ntesters were in an ideal environment, the solution would not work in remote locations where the\nsolution is most needed. The project team discovered that the FDIC\xe2\x80\x99s current technology does\nnot support the IT solution developed by the contractor. As a result, the project has experienced\nseveral delays and will require a contract extension to be completed.\n\n\nIdentity Access Management System (IAMS)\n\nIAMS was implemented to manage FDIC IT user identities, workflow-based access requests, and\nthe systems access approval process. IAMS is a streamlined end-to-end integrated process that\ncaptures all steps of FDIC access control from the initial entry of a new FDIC employee or FDIC\ncontractor to the time of their departure. This process ensures that accounts are set up with the\nproper levels of security for all users. All corporate applications supported by DIT must be\ntracked through IAMS. The IAMS application had a number of releases for each calendar year\nof our review. These releases addressed defects and include enhancements and corrective\nmeasures that will help improve the application\xe2\x80\x99s efficiency and usability.\n\nEnvironment testing improved from beginning to end. IAMS development improved during the\npast year as compared to previous year\xe2\x80\x99s progress. FDIC attributed the improved process to the\ncontractor\xe2\x80\x99s latest assigned IT Project Manager. During the early development stages of\nIAMS, the IT Project Managers assigned by the contractor experienced turnover which\nsignificantly impacted the progress and IAMS continuity. When the contractor assigned a\nhighly skilled and engaged IT Project Manager, IAMS development improved significantly.\n\nAs the IAMS environment is complex, DIT ensured that the contractor\xe2\x80\x99s test environment\nmatched the FDIC\xe2\x80\x99s IAMS production environment. This was another significant challenge\nearly in IAMS development, but this situation improved over time and is much better now.\nAlthough the contractor developed IAMS software outside of the FDIC environment, the\ncontractor designed IAMS to exactly match the FDIC\xe2\x80\x99s operational environment.\n\nAnother challenge was the CIO Council budget process. Because the project was so complex\nand involved many intersecting systems and organizations, there were many unanticipated\n                                               31\n\x0c                                                                                                   Appendix 4\n\nimprovements required during the Inception and Elaboration phases. However, the budget\ndictated the amount of contractor time allocated to the project phase so the IAMS project kept\ngoing over budget because of the additional requirements.5\n\n\nProforma Modernization (PROFORMA)\n\nPROFORMA is a bank closing tool that brings failed bank financial statements into DRR's\naccounting system. It imports the general ledger from a failing financial institution, allows\nfinancial analysts to make final adjustments, and converts the information into a standardized\naccounting system. PROFORMA is also used to print reports and statements used to create the\nInception balance entries for the receivership and initial starting balances for the assuming\ninstitution(s).\n\nPROFORMA is significantly behind schedule, as its development has significant environmental\nchallenges to overcome. The original project transition date of October 2012 was revised to\nMay 24, 2013 and extended to May 31, 2014. The project was built and initially tested by the\ndevelopers at an off-site location. When the system was tested in the FDIC\xe2\x80\x99s technical\nenvironment, significant challenges became apparent especially when operating at a failed\nbank\xe2\x80\x99s off-site location. Technical issues involving the FDIC\xe2\x80\x99s hardware, DIT\xe2\x80\x99s testing\ncapacities, and limitations of bandwidth availability at failed bank locations were not\ncommunicated to the developers prior to construction of the IT solution. As a result, additional\ncosts have been incurred to upgrade the FDIC\xe2\x80\x99s hardware and solutions are required to mitigate\nthese challenges.\n\n\n\n\n5\n Although the project was over budget from a time perspective, because the project involved a firm fixed price\ncontract, the project was within its cost budget.\n\n                                                        32\n\x0c                                                                                                 Appendix 5\n\n                           Corporation Comments\n\n\nFederal Deposit Insurance Corporation\n3501 Fairfax Drive, Arlington, VA 22226-3500                                               Chief Information Officer\n\n\n\n\nDATE:                 June 25, 2014\n\n TO:                  Stephen M. Beard\n                      Deputy Inspector General for Audits and Evaluations\n\nFROM:                 Martin Henning /Signed/\n                      Acting Chief Information Officer\n\n SUBJECT:             Management Response to the Draft Audit Report Entitled,\n                      The FDIC\xe2\x80\x99s Information Technology Project Management Process\n                      (Assignment No. 2013-013)\n\n\n Thank you for the opportunity to comment on the Office of Inspector General\xe2\x80\x99s (OIG) draft\n report on FDIC\xe2\x80\x99s information technology project management processes issued\n May 14, 2014. In its report, the OIG made one recommendation to the Acting Chief Information\n Officer (CIO), the CIO agrees with the recommendation, and actions to address the\n recommendation are planned or underway. Our specific response to the recommendation is\n provided below.\n\n MANAGEMENT RESPONSE\n\n Recommendation 1\n The OIG recommended that the Acting CIO:\n       \xe2\x80\x9c(1) advise client divisions and offices, IT project teams, DIT intersecting organizations,\n       and appropriate governance bodies of the key factors in project success or challenges and\n       related controls we identified in this report and (2) determine whether guidance in any of\n       these areas needs to be strengthened. \xe2\x80\x9d\n\n          Management Decision: Concur\n\n          Corrective Action: The CIO believes that although due diligence is being exercised in\n          advising stakeholders of the key factors and supporting guidance, both could be\n          enhanced. The CIO agrees with the OIG that these key factors warrant a review to\n          validate that stakeholders are properly advised and that current guidance is appropriate.\n .\n\n\n\n\n                                                    33\n\x0c     Appendix 5\n\n\n\n\n34\n\x0c                                                                                        Appendix 6\n\n      Summary of the Corporation\xe2\x80\x99s Corrective Actions\n\nThis table presents corrective actions taken or planned by the Corporation in response to the\nrecommendation in the report and the status of the recommendation as of the date of report\nissuance.\n\n                  Corrective Action: Taken         Expected      Monetary      Resolved:a     Open or\nRec. No.                 or Planned               Completion     Benefits      Yes or No      Closedb\n                                                     Date\n        1        Brief client divisions and       11/07/2014         $0           Yes         Open\n                 offices, IT project teams,\n                 DIT intersecting\n                 organizations, and\n                 appropriate governance\n                 bodies regarding the key\n                 factors in project success, or\n                 challenges and related\n                 controls identified in the\n                 report and determine\n                 whether current guidance\n                 needs to be strengthened.\n\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned, ongoing, and completed\n                    corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but alternative action meets the\n                   Intent of the recommendation.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0)\n                   amount. Monetary benefits are considered resolved as long as management provides an\n                   amount.\nb\n  Recommendations will be closed when (a) Corporate Management Control notifies the OIG that corrective\nactions are complete or (b) in the case of recommendations that the OIG determines to be particularly\nsignificant, when the OIG confirms that corrective actions have been completed and are responsive.\n\n\n\n\n                                                   35\n\x0c"